3 Key Implications of Russia’s Invasion of Ukraine for Audit and Risk Leaders

In short:

• Russia’s invasion of Ukraine has introduced new fast-moving risks for many organizations.
• Audit and risk leaders can support their organization’s short- and long-term response but may need to step outside their traditional roles to do so.
• In your organization’s journey to compliance, ensure adequate risk coverage, increase frontline reporting and coordinate a crisis response.

Russia’s invasion of Ukraine has drawn global condemnation and, specific to risk and audit functions, rapid rounds of economic sanctions and other legislative measures against Russia. The risk landscape has been redrawn overnight. As such, risk and audit teams must move fast to ensure their organizations are compliant with the latest measures.

“We’ve talked recently about the 4 key risk areas to monitor immediately in response to this crisis,” says Ian Beale, Vice President, Advisory at Gartner. “But there are wider implications for risk and audit teams in how they must go about their business in light of current events.”

Read more: Resources for Executives and Their Teams Amid Russia’s Invasion of Ukraine

To help you shape a response, Gartner experts have identified 3 major actions to take:

No. 1: Audit must ensure adequate risk coverage

As situations unfold, document any process or control changes. This way, your team is prepared to advise senior leadership on where it’s important to reestablish controls once it’s safe to do so.

“In a fast-moving situation like this, it may be necessary to have all hands on deck to ensure adequate risk coverage,” says Beale. “Audit should partner with enterprise risk management to support risk identification and response and work with first-line functions to identify areas where audit can contribute their expertise, such as analysis, research and reporting.”

You will need to be flexible so you can adjust their planned work and the scope of each assignment to ensure focus at the right time on the right topics.

Also reassess scenario planning exercises to ensure they still consider relevant factors and continue to support long- and short-term business plans. 

No. 2: Risk teams should increase the frequency of frontline reporting

“The risk landscape is changing almost daily as more measures against Russia come into force,” says Beale. “Increase communication with key stakeholders on emerging risks and events and how they relate to key enterprise risks. Deliver frontline risk reports more frequently than usual to keep decision-makers abreast of the risk situation and response efforts.”

Aggregate and communicate information on emerging risks and new circumstances that may affect risks identified in the enterprise risk register. Provide interim updates on changes in the organization’s risk profile and status of mitigation efforts.

Also, prepare a quick turnaround risk “deep dive” report for the executive risk committee and the board of directors. Be sure to make note of Russia’s invasion of Ukraine in existing risk reports to highlight new and amplified risks.

Make certain to revisit key risk assumptions to ensure they still match the operational reality. From there, establish key risk indicators that would trigger risk escalation and response activities if breached.

Read more: 5 Things Marketing Leaders Must Do in the Wake of the Russian Invasion of Ukraine

No. 3: Coordinate crisis response and activities

“The speed at which new risks are emerging due to the Russian invasion of Ukraine has the potential to overwhelm the ability of individual assurance functions to respond,” says Beale. “To ensure an effective and efficient crisis response, assurance functions must coordinate and align their activities.”

It’s critical to collaborate across assurance functions when inventorying risk changes resulting from Russia’s invasion of Ukraine. Don’t miss opportunities to formalize information sharing by identifying the metrics tracked across multiple functions.

Ideally, assurance functions work toward a single risk, control, issue and action plan database that includes input from all internal assurance functions. This can fuel a joint report to the board and executive committees with a single and comprehensive view of the risks the organization faces. 

It’s important to note that although corporate actions may be legally compliant, there are significant risks associated with the public perception of actions that may be seen as trying to profit from the conflict.

These necessary actions reinforce the moves that some audit and risk leaders are starting to take more broadly to move their organizations toward being more resilient.This includes breaking down silos between assurance functions and building a corporate culture that can predict, absorb, react and recover from major disruptions. Disruptions could come from natural disasters, future conflicts or major market changes, any of which could impact customers, colleagues, suppliers or funding.

Clients can access Gartner's full suite of resources for navigating the Russian invasion of Ukraine here.